Your company sends hundreds, if not thousands, of emails every day. From critical internal communications to marketing newsletters and customer support messages, email is the lifeblood of your operations. But have you ever wondered if those emails are actually reaching their destination? Or if someone else is sending emails that look like they’re from you?
Without proper email authentication, you're leaving your domain vulnerable to phishing attacks, spoofing, and a damaged sender reputation. This can lead to your legitimate emails landing in spam folders or being rejected outright by receiving servers. The result is poor communication, lost revenue, and a tarnished brand image.
This guide will walk you through everything you need to know about setting up email authentication for your Google Workspace account. We’ll break down the three key protocols—SPF, DKIM, and DMARC—into clear, actionable steps. By the end of this post, you'll have the knowledge to secure your email channels, improve deliverability, and protect your brand's reputation.
Why Email Authentication Is Essential
Email authentication is a set of technical standards that verify an email is truly from the sender it claims to be from. Think of it as a digital seal of approval for your emails. By implementing it, you prove to Internet Service Providers (ISPs) like Gmail, Outlook, and Yahoo that you are a legitimate sender.
This process relies on three main protocols working together:
SPF (Sender Policy Framework): This record lists the mail servers and services authorized to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail): This adds a digital signature to your emails, allowing the receiving server to verify that the message hasn't been altered in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): This protocol tells receiving servers what to do with emails that fail SPF or DKIM checks and provides reports on your email activity.
Implementing these protocols brings three major benefits:
Improved Deliverability: Authenticated emails are far less likely to be marked as spam, ensuring your important messages reach the inbox.
Enhanced Security: It prevents bad actors from spoofing your domain, protecting your customers, partners, and employees from phishing scams.
Protected Brand Reputation: By securing your email communications, you build trust with recipients and safeguard your brand's credibility.
Step 1: Setting Up SPF for Google Workspace
Sender Policy Framework (SPF) is the first line of defense in email authentication. It allows you to create a public list of servers that are approved to send emails from your domain. When an email server receives a message, it checks the sender's SPF record to see if the sending server is on that approved list.
How to Create and Add Your Google Workspace SPF Record
An SPF record is a simple line of text added to your domain's DNS (Domain Name System) settings. For Google Workspace, the process is straightforward.
1. Check for an Existing SPF Record
Before you create a new record, you need to see if you already have one. You can use a free online tool like the MXToolbox SPF Record Generator to look up your domain.
If you already have an SPF record, you will need to modify it. You should only ever have one SPF record on your domain. Multiple records can cause validation errors.
2. Create Your SPF Record
The SPF record for sending email only through Google Workspace is:
v=spf1 include:_spf.google.com ~all
Let's break this down:
v=spf1: Identifies the record as an SPF record.
include:_spf.google.com: This is the mechanism that includes Google's list of approved sending servers in your record.
~all: This is a "soft fail" qualifier. It tells receiving servers to mark emails from non-authorized servers as suspicious but not necessarily reject them outright. This is the recommended setting by Google.
If you use other services to send email (like Mailchimp or Salesforce), you'll need to add their SPF mechanisms to the same record. For example:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
3. Add the SPF Record to Your DNS Settings
Log in to your domain host's administrative console (e.g., GoDaddy, Namecheap, Cloudflare).
Navigate to the DNS management page.
Create a new TXT record (or edit your existing one).
In the Host/Name field, enter @ or leave it blank (this depends on your DNS provider's interface).
In the Value/Data field, paste your SPF record string (e.g., v=spf1 include:_spf.google.com ~all).
Set the TTL (Time To Live) to 3600 seconds (1 hour) or use your provider's default.
Save the record. DNS changes can take up to 48 hours to propagate across the internet, but it's often much faster.
How to Test Your SPF Record
After waiting for the DNS changes to propagate, you can test your SPF record using a tool like MXToolbox or by sending an email from your Google Workspace account to a Gmail address. Open the email in Gmail, click the three dots next to the "Reply" button, and select "Show original." In the email header, you should see PASS next to the SPF entry.
Step 2: Setting Up DKIM for Google Workspace
DomainKeys Identified Mail (DKIM) adds a layer of security by attaching an encrypted digital signature to your outgoing emails. This signature is tied to your domain and verifies that the email's content has not been tampered with. The receiving server uses a public key, published in your DNS, to decrypt the signature and confirm the email's integrity.
How to Generate and Add Your Google Workspace DKIM Record
This process involves generating a key in your Google Workspace Admin console and then adding it to your DNS records.
1. Generate a DKIM Key in Google Workspace
Log in to your Google Admin console (at admin.google.com).
Go to Apps > Google Workspace > Gmail.
Click on Authenticate email.
In the Selected domain menu, choose the domain you want to set up DKIM for.
Click the Generate new record button.
In the pop-up window, select 2048 for the DKIM key bit length for stronger security. The prefix selector will likely default to google. You can leave this as is.
Click Generate. Your DKIM key will be created and displayed. Keep this window open.
The generated information will include a DNS Host Name (TXT record name) and a TXT Record Value.
2. Add the DKIM Record to Your DNS Settings
Now, go back to your domain host's DNS management page.
Create a new TXT record.
For the Host/Name field, copy the DNS Host Name from the Google Admin console. It will look something like google._domainkey.
For the Value/Data field, copy the entire TXT Record Value from the Admin console. This is a long string of characters.
Set the TTL to 3600 or your provider's default.
Save the record.
3. Start DKIM Authentication in Google Workspace
After the DNS record has had time to propagate (again, up to 48 hours), return to the Authenticate email page in your Google Admin console.
Click the Start authentication button.
The system will check for your published DKIM key. If it finds it, the status at the top of the page will change to Authenticating email.
How to Test Your DKIM Record
Similar to SPF, you can test DKIM by sending an email to a Gmail account and checking the original message headers. Look for the DKIM entry, which should show a result of PASS with your domain name.
Step 3: Setting Up DMARC for Google Workspace
DMARC is the final piece of the puzzle. It builds on SPF and DKIM to give you control over your email authentication policy and provide valuable feedback. A DMARC record tells receiving servers how to handle emails that fail SPF and/or DKIM checks. It also enables reporting, so you can see who is sending email on behalf of your domain.
How to Create and Add Your DMARC Record
Creating a DMARC record is similar to SPF and DKIM. You'll add another TXT record to your DNS.
1. Create Your DMARC Record
A basic DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:[email protected]
Let's dissect the tags:
v=DMARC1: Identifies the record as a DMARC record.
p=none: This is the policy tag. none is a monitoring-only policy. It tells receiving servers to take no specific action on failing emails but to send you reports. It is crucial to start with p=none.
rua=mailto:[email protected]: This specifies the email address where you want to receive aggregate DMARC reports. You should create a dedicated mailbox for this, as you'll receive a lot of XML reports.
2. Add the DMARC Record to Your DNS Settings
Go to your domain host's DNS management page.
Create a new TXT record.
For the Host/Name field, enter _dmarc.
For the Value/Data field, paste your DMARC record string.
Save the record.
Choosing the Right DMARC Policy
Your DMARC policy tells servers what to do with unauthenticated mail. You should progress through the policies carefully.
p=none (Monitoring): This is where you must start. It lets you collect data and analyze your DMARC reports to ensure all your legitimate sending sources are properly authenticated. Jumping to a stricter policy too soon can cause legitimate emails to be blocked.
p=quarantine (Quarantine): This policy tells receiving servers to send failing emails to the spam or junk folder. Once you are confident that all your valid mail is passing authentication checks, you can move to this policy.
p=reject (Reject): This is the strictest policy. It instructs receiving servers to completely block and reject any emails that fail DMARC. This provides the highest level of protection against spoofing.
Monitoring Your DMARC Reports
DMARC reports are sent as XML files and can be difficult to read manually. It's highly recommended to use a DMARC monitoring service (like Dmarcian, Postmark, or Valimail) to parse these reports. These services provide user-friendly dashboards that help you:
Identify all services sending email on behalf of your domain.
See which emails are passing or failing authentication checks.
Diagnose and fix SPF and DKIM issues.
Spend several weeks in p=none mode, analyzing reports and authenticating all your legitimate senders before moving to p=quarantine and eventually p=reject.
Advanced Tips and Troubleshooting
As you implement email authentication, you may run into some common issues.
SPF "Too Many Lookups" Error: An SPF record cannot require more than 10 DNS lookups to be fully resolved. If you use many third-party services, you may exceed this limit. To fix this, you can use an SPF flattening service or carefully review and consolidate your include mechanisms.
Handling Third-Party Senders: Always check the documentation of any third-party service that sends email for you (e.g., CRMs, marketing platforms, helpdesks). They will provide instructions on how to include their SPF and/or DKIM records in your DNS.
Maintaining Authentication: Email authentication is not a "set it and forget it" task. Whenever you add a new service that sends email, you must update your SPF and DKIM records accordingly. Regularly review your DMARC reports to monitor for new, unauthorized sending sources.
Secure Your Email Today
Setting up email authentication for your Google Workspace is a critical step in securing your business communications. By correctly configuring SPF, DKIM, and DMARC, you take control of your domain, protect your brand from fraud, and significantly improve your email deliverability.
While the process may seem technical, following the steps outlined in this guide will put you on the right path. Start today by checking your current records, and work methodically toward a p=reject DMARC policy. Your customers, employees, and bottom line will thank you.